0

I received the below request, just curious how I can go about doing this. I have IPs direct from ARIN and my own rdns server.

**

As you guys know I am a mailer, but I keep things very clean. My other provider I am currently getting Class C's from provides a private DNS. This way the public cannot view RDNS setup but the ISP's are allowed to see and verify RDNS. Do you offer this? The reason behind non-public rdns is to help a mailer like myself to keep IP space long term when using Class C's. There are blacklist organizations that scan Internet IP space looking for Class C's with a huge RDNS setup and then listing those IP blocks. By making the RDNS private you are making it so when these organizations scan there is nothing to see. However with ISP's being able to see the DNS server they are able to complete RDNS verification before accepting mail from the IPs. If you don't have this setup available that is fine I was just wondering since I am interested in larger IP space, but just need this kind of setup to be confident in keeping things long term.

Faith In Unseen Things
  • 119
  • 1
  • 6

2 Answers2

2

There are two ways to do this, but it involves building a filter list that won't be accurate. You can put the filter list of "good" IP addresses to access the zone in the named server configuration itself (a view) or you can build a firewall to drop packets from anything not on your good list.

However, this isn't a good tactic to use in the first place even if you could get the list of addresses that are valid to query from to be stable and accurate (which you can't). It's likely that the querying ISP will be using their own normal resolver that is the same resolver that the ISP's clients will use. If that's the case you're adding the client's default resolver to the white list, so everyone using the ISP can see the results too.

In short: that's a bad thing to do and you'd waste a ton of time trying to get it to work and it never will completely.

Wes Hardaker
  • 774
  • 5
  • 6
0

I am not an ISP, but do accept email. If I can't verify your rDNS then I am likely to block your email. If you are using your ISPs servers as a relay, give the Class C back and use their private namespace. As a mailer you need postmaster@ and abuse@ address open for every sending domain. Track bounces and bit bucket the rest. If you are mailing on behalf of someone use a secondary domain like campaign.client.com. Check out http://www.maawg.org/sites/maawg.

Setup an SPF like 'v=spf1 a -all' for all your sending domains. This will help limit their use by spammer. Failing this SPF on your HELO will get your message rejected. I may investigate its use on the rDNS address of the host as well. It should be the same as the HELO address but unfortunately is not always.

Bulk and automated mailers make blocking server forgeries difficult because they so often get their DNS and server configuration wrong. I hope you do it right.

BillThor
  • 27,737
  • 3
  • 37
  • 69